A remote mailbox created in on-premises AD DS is not ACLable in Exchange Online
Original KB number: 4051497
Symptoms
Consider the following scenario:
- A remote mailbox is created in on-premises Active Directory Domain Services (AD DS) environment by using the
New-RemoteMailboxcmdlet. - A mailbox is provisioned in Exchange Online.
In this scenario, the remote mailbox object in the on-premises AD DS is not considered ACLable. On-premises users cannot add the cloud mailbox user as a delegate or cannot grant folder permissions.
Workaround
To work around this issue, update the msExchRecipientDisplayType property of the remote mailbox to a value of -1073741818 in the on-premises AD DS.
You can also use the ACLableSyncedObjectEnabled parameter in the New-RemoteMailbox or Enable-RemoteMailbox cmdlet to create the remote mailbox as an ACLable object.
For more information about the cmdlets, see the following articles:
Status
This behavior is by design.
More information
Starting in Microsoft Exchange 2013 Cumulative Update 10, you can make migrated users ACLable by setting an organization configuration. To do this, run the following command:
Set-OrganizationConfig -ACLableSyncedObjectEnabled $True
Note
This requires that an on-premises mailbox is migrated to Exchange Online instead of being provisioned directly in Exchange Online.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for